

**What is claimed is:**

- pub A1*
- 5 1. A system for monitoring the status of and switching control between a pair of redundant controllers wherein one controller is functioning as an active controller and one controller is functioning as a standby controller, the system comprising:  
two monitors, each monitor being connected to and associated with a controller, wherein the two monitors are capable of receiving status signals from the controller with which they are associated;
- 10 two communication links between the two monitors for exchanging status signals associated with the status of the controllers with which the monitors are associated; and
- 15 two triggers, each trigger connected to and associated with a controller, each mono-stable trigger further connected to the monitor associated with each controller, wherein the triggers provide a signal for the controller with which it is associated.
- 20 2. A system for monitoring the status of and switching control between a pair of redundant controllers according to claim 1 wherein the monitors comprise logic means for determining which controller is the active controller and which is the standby controller.
- 25 3. A system for monitoring the status of and switching control between a pair of redundant controllers according to claim 1 wherein the system further comprises two resistors, one resistor being attached to each communications link for providing the proper state to the standby controller.
- 30 4. A system for monitoring the status of and switching control between a pair of redundant controllers according to claim 1 wherein the two monitors are field programmable gate arrays.
- 5 . A system for monitoring the status of and switching control between a pair of redundant controllers according to claim 1 wherein the logic is a state machine.

- Art A1
6. A computer suitable or use in an application requiring reliability of operation, the computer comprising:
- a first controller, the first controller operating as an active controller;
- a second controller, the second controller operating as a standby controller, wherein the second controller is capable of assuming the operations performed by the first controller, the first and second controller forming a pair of redundant controllers;
- a first logic device connected to and associated with the first controller, wherein the first logic device is suitable to receive status signals from the first controller;
- a second logic device connected to and associated with the second controller, wherein the second logic device is suitable to receive status signals from the second controller;
- two triggering means, each triggering means connected to and associated with a controller, the triggering means further connected to the logic device associated with the controller with which the triggering means is associated, the triggering means providing a signal to the controller; and
- two communications links providing for communications between the first and second logic devices.
7. A computer according to claim 6 wherein the fist and second logic devices comprise logic means for determining which controller is the active controller and which is the standby controller.
8. A computer according to claim 7 wherein the logic means comprised by the fist and second logic devices is a state machine.
9. A computer according to claim 6 wherein the first and second logic devices are field programmable gate arrays.
10. A computer according to claim 6 wherein the computer further comprises two

*sub A1*

resistors, one resistor being attached to each communications link for providing the proper state to the second controller.

5 11. A computer according to claim 6 wherein the triggering means are mono-stable triggers.

10 12. A computer according to claim 6 wherein a controller, the logic device associated with it, the triggering means associated with it are comprised by a board located within the computer.

15 13. A computer according to claim 12 wherein the communication links between the logic devices are conducting traces, the conducting traces being located on a board other than that on which controller, the logic device associated with it, the triggering means associated with it are comprised.

14. A computer according to claim 12 wherein the communication links between the logic devices are communications links suitable for connecting a first and second logic device which are located remotely from one another.

20 15. A state machine for the arbitration of control between two redundant controllers, the state machine being implemented as logic on a logic device wherein the state machine permits only one of the two redundant controllers to be an active controller, the two controllers being able to set status signals in a manner indicating either their current or future status, the state machine comprising:

25 an active state wherein the active controller resides in the active state when the redundant controllers are not arbitrating to determine the active controller;

a standby state wherein the controller that is not the active controller resides in the standby state when the controllers not arbitrating to determine the active controller;

30 a first decision front, the first decision front being entered when the standby controller forcibly attempts to become the active controller;

a second decision front, the second decision front being entered when the

*prob A1*

active controller requests to become the standby controller; and  
a third decision front, the third decision front being entered by the active  
controller when the active controller is to become the standby controller.

- 5        16. A state machine according to claim 15 wherein the first decision front comprises a plurality of states corresponding to a plurality of clock cycles, through which the standby controller that is requesting to become the active controller must pass to become the active controller, the standby controller, in each state of the plurality of states, setting a status signal in a manner indicating it is the active controller.
- 10      17. A state machine according to claim 16 wherein there are three clock cycles.
- 15      18. A state machine according to claim 15 wherein the second decision front comprises:  
                a first state wherein the standby controller sets a status signal in a manner indicating it is the standby controller; and  
                a second state wherein the standby controller sets a status signal in a manner indicating it is the standby controller, the second state being entered by the standby controller if an identification parameter is set at a certain value.
- 20      19. A state machine according to claim 18 wherein the controller that passes through one state of the second decision front becomes the active controller and the controller that passes through both states of the second decision front becomes the standby controller.
- 25      20. A state machine according to claim 18 wherein the identification parameter identifies a location on a midplane of an industrial computer in which the board on which the logic device comprising the state machine is located in an even or odd numbered slot.
- 30      21. A state machine according to claim 15 wherein the third decision front comprises:  
                a first state wherein the active controller sets a status signal in a manner

*part A1*

indicating it is the active controller; and  
a second state wherein the active controller sets a status signal in a manner indicating it is the active controller, the second state being entered by the active controller if a status signal associated with the standby controller is set to indicate the standby controller is to be the active controller.

5 22. A method by which a standby controller forcibly becomes the active controller, the method comprising the steps of:

10 setting a parameter low by the standby controller, the parameter indicating that the standby controller is to forcibly become the active controller;

entering a first decision front of a state machine, the first decision front containing a plurality states;

15 setting a status signal of the standby controller to indicate it is the active controller; and

maintaining the status signal of the standby controller to indicate it is the active controller throughout the plurality of states in the first decision front.

20 23. A method according to claim 22 wherein there are three states in the first decision front.

24. A method by which a standby controller becomes the active controller when the active controller has indicated it is to become the standby controller by setting a status signal indicating it is the active controller low, the active and standby controllers being able to communicate status signals through monitors associated with the active and standby controllers, the monitors being able to monitor status signals of the controller with which they are associated and status signals of the controller with which they are not associated; the method comprising the steps of:

25 setting a status signal of the standby controller high, indicating the standby controller is to remain the standby controller;

monitoring a status signal of the active controller, by the monitor associated with the standby controller;

30 remaining as the standby controller if the status signal of the active controller

*sub A1*

is set low;

setting a status signal of the standby controller high, indicating the standby controller is to remain the standby controller if an identification parameter of the standby controller has a certain value;

5 monitoring a status signal of the active controller, by the monitor associated with the standby controller; and

remaining as the standby controller if the status signal of the active controller is set low.

10 24 A method by which an active controller becomes the standby controller when the standby controller has indicated it is to become the active controller by setting a status signal indicating it is the active controller low, the active and standby controllers being able to communicate status signals through monitors associated with the active and standby controllers, the monitors being able to monitor status signals of the controller with which they are associated and status signals of the controller with which they are not associated; the method comprising the steps of:

setting a status signal of the active controller low, indicating the active controller is to remain the active controller;

monitoring a status signal of the standby controller, by the monitor associated with the active controller;

remaining as the active controller if the status signal of the standby controller is set high;

setting a status signal of the active controller high, indicating the active controller is to remain the active controller;

25 monitoring a status signal of the active controller, by the monitor associated with the standby controller; and

remaining as the active controller if the status signal of the standby controller is set high.